ONC Interoperability Meeting Raises More Questions Than Answers

ONC’s first public event under the new administration was very well organized and run. Eight leading health information exchange incumbents were able to describe their current approaches and plans, the patient advocate position was clearly stated, and a nice synthesis of the issues raised by the trusted framework approach to interoperability was prepared by a consulting organization. Much to ONC’s credit, they went out of their way to provide access and public comment to an extent that is unprecedented in my experience. Slides and recordings will be posted soon and a 30-day comment period runs through August 24. Kudos to ONC.

The proceedings raised a lot more questions than answers and, from my perspective, call into question the whole approach to interoperability that we’ve inherited from the HITECH-era ONC.

  • Algorithmic (and coercive) patient identity matching has no solution in sight
  • Interoperability between HIPAA and non-HIPAA entities has no solution in sight
  • Different frameworks with different governance principles can only interoperate at a lowest common denominator, frustrating both clinicians and families
  • Identity proofing of patients confuses pretty much everyone
  • All agree that accountability is important but nobody proposed how patients can hold anyone accountable for anything
  • Incumbent systems are built around clunky document exchange instead of modern APIs and API Task Force principles
  • There is no consensus on who will pay the rent the health data brokers are seeking
  • Patient access is an afterthought for most of the data brokers and no solution seems to be in sight
  • The 21st Century Cures goal of a Longitudinal Health Record was not mentioned by anyone at all

By contrast, in the patient perspective presentation by Cynthia Fisher, we heard a call to turn the interoperability problem on it’s head: to start with the patient and caregiver not the provider and EHR vendor. “We paid for it already…we own it and should have it”, she said.

ONC now faces an unenviable choice. Do they “stay the course” as DirectTrust is asking or do they abandon an interoperability strategy that has failed by almost any objective measure? Am I posing a false dichotomy?

As discussed in an earlier post, there are examples from law enforcement and consumer finance where intermediaries serve a valuable role in information exchange. In healthcare, these roles correspond to registries such as prescription drug monitoring programs (analogous to a “do not fly” list) and relationship locator services (analogous to the three credit bureaus), respectively. Coercive public health registries and voluntary relationship surveillance agencies are certainly needed but they are hardly a model for a broad patient-centered healthcare model that spans HIPAA, non-HIPAA, and family-caregivers principals.

An administration trying to reduce regulations while driving toward practice innovation to enable consumer choice and to reduce costs cannot afford to be bogged down in another 7 years of trying to invent new governance mechanisms to enable rent-seeking intermediaries. Health data interoperability needs to build on patient-directed exchange and plan for a longitudinal health record as an outcome. We may not even need new regulations to move in this direction. The patient right of access under HIPAA as documented by the Office for Civil Rights and API Task Force could be enough. Let’s turn away from would-be intermediaries looking to define “trust” as something they can sell you.


Categories: Uncategorized

2 replies »

  1. William,

    The ideas proposed by Adrian in this post where there is

    1) patient-directed exchange
    2) and where the physicians who participates in the patient’s health care irregardless of institution or EHR can share and communicate effectively,
    3) and while at the same time enhancing security of that patient record

    is not an abstract dream anymore. Adrian and I are working together on a standards-based (FHIR, UMA, OAuth2), open source project which we’re describing as an electronic patient container that contains a singular patient EHR and an patient-administered authorization server:


    We have an actual working demonstration of existing and emerging technologies that, if deployed for each patient, can disrupt the current EHR environment and achieve these 3 goals without the need for political intervention.

    I go over this and the benefits of this type of solution and as well as the winners and losers in detail here:

    You’ll notice that even what seems like competing entities (insurance companies, hospitals) will benefit from a patient container model as they could mitigate risk of compromised PHI data by having patient data distributed in patient containers rather than on a large institutional pot that if hacked would expose thousands of records.

    “We should fight like hell for this, I agree” – I think physicians and patients as well as individuals who have concerns about their health data privacy should strongly consider our open source project as the start for a new discussion and envision a different paradigm of how we manage and secure electronic patient health data.

  2. I just wonder how important it is to physicians to be able to see the complete time series of all other providers’ work on a given patient….easily. Isn’t that what interoperability means? Everyone knows what every else has done? And, of course, it means the patient can get hold of all her information, pretty much in real time as it transpires.

    But how many times do we actually see this as a tremendous problem? Docs just order another set of electrolytes or a repeat CT….whatever. And it is often good care to repeat testing and procedures…like “he needs another echo anyway, Joe.” I don’t know if I would trust a single “rare schistocytes seen” on a blood film.

    I agree with you that it would be nice and ideal….but to get this actually agreed to by all the fierce commercial interests seems fanciful. And, it may degrade the ability to get tight security too. After all, the easier it is for all providers to share their info, the easier it may be for all peek-a-boo hackers to see this stuff.

    Maybe it is going to require too much effort and require too much opportunity cost. Maybe time to give up? But I do love your insistence on the patients’ central ownership rights…for his data. We should fight like hell for this, I agree.